GA Release Matrix

The table lists the latest released DocuPhase Forms versions.

Product Version Matrix

Product	Latest Version	Release Date	Release Notes
DocuPhase Forms Cloud	v11.3.0	07/23/2024	Detailed Release Notes
DocuPhase Forms On Premise	v11.0.13	11/28/2023	Detailed Release Notes
frevvo for Confluence	v10.1.22*	03/30/2022	Detailed Release Notes
frevvo Confluence Plugin	see ref		Confluence Add-on Release Notes *Not available in v11.0+
DocuPhase Forms Database Connector	v2.9.0 (Cloud Only) v2.7.1	07/23/2024 09/17/2022	Database Connector Release Notes
DocuPhase Forms Filesystem Connector	v1.6.0	07/23/2024	Filesystem Connector Release Notes
DocuPhase Forms Google Connector (Legacy)	v3.4.0 (Cloud Only) v3.1.1	07/23/2024 01/05/2023	Google Connector Release Notes
DocuPhase Forms SharePoint Connector (Legacy)	v1.4.0 (Cloud Only) v1.2.0	07/23/2024 09/17/2022	SharePoint Connector Release Notes
DocuPhase Forms API .NET Client	see ref		Data API Client Libraries Releases

*frevvo for Confluence is no longer available in v11.0+.

Security Vulnerabilities

The following security vulnerabilities have been addressed as follows:

Man in the middle - This has to do with executing the CGI Servlet. This servlet is disabled in the frevvo Apache tomcat distribution. Customers who choose to enable the servlet are responsible for ensuring security viz. adding filter etc.
Version Disclosures - Resolved by configuring the ErrorReportValve in \frevvo\tomcat\conf\server.xml file (in the Host section) as described in this Apache tomcat website. The parameter that needs to be modified is:
```
<Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false"/>
```

X-Frame-Options Header Not Set - Resolved by modification at the tomcat level. In-house customers can uncomment the HttpHeaderSecurityFilter provided in the tomcat web.xml. The filter is documented here. Specify the appropriate X-Frame-Options value in the antiClickJackingOption parameter - (SAMEORIGIN or ALLOW-FROM).

Setting this parameter to SAMEORIGIN may interfere when embedding frevvo forms/flows in your website. Use ALLOW-FROM instead.

Click the appropriate link below for filter examples.

Example of filter with SAMEORIGIN

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
		<init-param>
			<param-name>antiClickJackingOption</param-name>
			<param-value>SAMEORIGIN</param-value>
		</init-param>
        <async-supported>true</async-supported>
</filter>

<filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Example of filter with ALLOW-FROM for embedded forms

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
		<init-param>
			<param-name>antiClickJackingOption</param-name>
			<param-value>ALLOW-FROM</param-value>
		</init-param>
		<init-param> 
            <param-name>antiClickJackingUri</param-name> 
            <param-value> http://example.com:80/*</param-value> 
        </init-param>
        <async-supported>true</async-supported>
</filter>

<filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
</filter-mapping>

frevvo v10.2 resolved Apache Log4j vulnerability with SOLR upgrade.